Subido por repretelt

Visión general de la gestión de riesgos

Anuncio
How Business, IT and Security Teams Gain a Common View of Risk
DEVELOPED BY
WITH CONTRIBUTIONS FROM
In today's digital business ecosystem, information technology and security teams need to build more proactive and value-driven IT risk and IT compliance programs. They
need to preserve business operations and their supporting technology environment, and protect regulated and sensitive information from
security breaches and adverse events. They must ensure their organizations can perform exceptionally well in the face of political, environmental, competitive,
regulatory and technology changes. In this illustration, we outline the five key areas in which business, IT and security teams need to ‘get on the same page’ in
developing an integrated view of risk and resilience.
1 BUSINESS OPERATIONS
Business Operations are highly dependent on automated and tightly
integrated technology systems to support processes and interactions
with 3rd parties and customers. To create an integrated risk framework,
Business, IT and Security teams must co-develop:
• Risk Appetite translated to required thresholds
• Common, organization-wide language of risk
supporting an analytics framework
• Contextual Intelligence to identify risk threshold
breaches and respond with agility
REGION
CUSTOMERS
DASHBOARDS
TRANSACTIONS
VALUE CHAIN
TASKS
RELATIONSHIPS
5 THREAT INTELLIGENCE
MANAGEMENT
THREAT FEEDS
WORKFLOW
RULES
FOCUS
THREAT
ASSESSMENT
REMEDIATION
DASHBOARD
2 CHANGE MANAGEMENT
Business Resilience must be
continuously optimized with
planning and preparedness to
support business operations
and the technology environment.
Business, IT and Security teams
must vigilantly align on:
• Business Impact Analysis with
appropriate RTO and RPOs
• High state of readiness with current
plans and rigorous testing
• Maximum responsiveness from
employees, suppliers, third parties,
customers and government
agencies
INVESTIGATIONS
THREAT PATTERNS
Threat Intelligence and
Response must continuously
evolve to adequately respond to
risks and vulnerabilities across
the IT landscape. IT and Security
teams must align on:
• Future-Ready assessments that
leverage continuous
monitoring of threat feeds
• Threat Intelligence and
analysis supported by machine
learning and AI
• Breach Readiness aligned
with crisis and incident
management
DOCUMENTS
CONTROL DASHBOARD
LOW
MED
HIGH
DATA
4 REGULATORY COMPLIANCE
MANAGEMENT
ASSETS
IT RISK
IOT
IT
COMPLIANCE
REGULATORY
INTELLIGENCE
Regulatory ¬Compliance Management
requires proactive analysis of
regulatory requirements to business
processes, information, third parties
and the extended global and local
technology environment. Teams must
converge on:
• A common understanding of global
and local regulatory obligations
• Harmonized control testing and
reporting across all regulations
• Agile regulatory management process
to assess the impact of change
REGULATORY
AUDIT
3 TECHNOLOGY LANDSCAPE
Technology Landscape – IT must ‘keep the
lights’ on and continuously improve the
landscape while adopting new technologies
such as cloud, mobile, Artificial Intelligence and
the Internet of Things. To lay the foundation that
will support an integrated risk model, IT must work
with business to define and keep current:
• Business process maps with references to underlying
technology apps, data and networks
• Best Practices in GRC to protect sensitive and
regulated information
• Agile processes to adopt emerging technologies
COMMON DRIVERS
FOR BUSINESS,
IT AND SECURITY
RISK TEAMS
Business, IT and Security Risk
teams benefit from an integrated
risk program that allows them to:
Contact info@oceg.org for comments, reprints or licensing requests ©2017 OCEG for additional resources visit www.oceg.org/resources
• Rapidly respond to risk with
insight and agility to support
better decisions
• Gain visibility and context into
the most urgent business risks
across operations
• Effectively serve finance,
legal, corporate compliance,
vendor management and
operations
• Manage a broad and dynamic
landscape of 3rd parties,
suppliers and customers
Descargar